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UNCLASSIFIED 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 04/23/2012 
To: Washington Field Attn: CyY-4 
New York CY-2, sal 
From: Washington Field Wa Full tavesk he As ngee fo] _ fore 
CY4/NVRA 7 ' 


contact:[__rGgiasub 


) 
Closed: C4 / C5 / ae 


Approved By: a fee ape Class & A a 2028-uP olt 
an Source (1) CAINE =, CRINT -C. a? 
patted ny: [fs 
rafted By I. Gy ede sede yaa Wh”pR . 
sere 2 Ee Bete 
Title: UGNAZI; Assign To : 
TEAM-DIVERSITY; 


DC.GOV - VICTIM; 1 
COMPUTER INTRUSION - CRIMINAL Cerin C ee 


Synopsis: Request captioned matter be opened and assigned to the 
writer. 


Details: The purpose of this EC is to request captioned matter 
be opened and assigned to the writer. This matter is predicated 
based on information received from the complainant/victim 
organization, Government of District of Columbia (DC). 


On 4/20/2012, WFO CY-4 received information that_the 
DC's website, DC.gov, was under attack. Writer talked toL_ | b6 
Chief Technology Officer, Office of the Chief Technology bic 
Officer (OCTO), Government of the District of Columbia, 441 4th - 
St. NW, Washington, DC 20001, telephone number: as via 
telephone the same day. Ld reported DC.gov website was 
under Distributed Denial of Service (DDOS) attack since 4/18/2012 
6:45pm, 25 hours into the attack, OCTO was able to restore the 
website and contained the DDOS attack. OCTO did not_detect any 
intrusions into DC government's computer network. 
forward writer an email contained possible perpetrators' twitter 
pebeenrhe postings at Pastebin.com, and a link to team- 
snet. Within the twitte 


UNCLASSIFIED 


Oo fayibec 


° @ 
UNCLASSIFIED e 
To: Washington Field From: Washington Field 
re [pa/20/2012 


postings included a link to Pastebin.com posting which revealed 
DC city mayor Vincent C Gray's personal identification 
information (PIT). 


On 4/20/2012, writer_ta Olitan Police 
Department Task Force Office telephone 
number: [____ dj via telephone. stated the MPD was 


aware of the leak of DC Mayor's PII. The leaked PII was not 
accurate and some were outdated. 


Open source search on |e and "UGNazi 
@UGNazi"revealed two hacker group azi, with website at 
UGNazi.com, and Team Diversity at team-diversi t. GNazi 


memb were 
Tea iversity members were 


ACS search on| sds revealed e is the subject of 
New York field office's case, case number UGNAZI. 


In serial 40,[—/ ss identified as following: 


True Name: 
Alias: 
Monikers 


Address: (current) 


Twitter: 
Website: 


Based on the information above, WFO request that a Full 
Investigation be opened and assigned to CN 
UNCLASSIFIED 
2 


b7E 


b6 
b7c 


b6 
b7c 


b6 
b7C 
bT7E 


b6 
b7c 


b6é 
b7C 


To: Washington Field From: 
ne: [*404/23/2012 


LEAD (s): 
Set Lead 1: (Info) 
NEW YORK 


TT CY2 


Read and clear. 


+4 


UNCLASSIFIED 


UNCLASSIFIED 
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Washington Field 


FD-302 (Rev, 10-6-95) : 


~ 1 - 
FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 04/24/2012 


On s/2a/2oi2,| __ | Chief Technology Officer, see 
Office of the Chief Technology Officer (OCTO), Government of the 
_ District of Columbi . NW, i ra 
telephone number: email: was 


interviewed in Washington, D.C. Also present during the interview 
were email address: telephone 
number: cell phone number: After being 


advised of the identity of the interviewing agent and the nature of 
the interview,| | provided the following information: 


provided two CDs, one contained PCAP files and Be 
graphs from Distributed Denial of Service (DDOS) attack from bic 
4/18/2012 to 4/19/2012, and the other contained the firewall logs 
from that attack. =a stated the personal information on DC 
Mayor was not accurate and it was not the result of any computer 
intrusions in DC government network. DC government has not 
discover any other DC government employee! S personal information 
was published on the internet. 


LL dintroduced writer ) Security pe 
Operations, Office of the Chief Technology Officer, telephone Die 


number: email: is 
the point of contact for any technical questions regarding the DDOS 
attack. 


TIL 
L 362 
q (U/ 5 Yip, al7sfore 
lavestigation on —_—«4. (24/2012 at Washington, DC 
Serge ON ee ee A eg b7E 


File # Date dictated 


by. 


“This document contains neither recommendations nor conclusions of the FBL It is the property of the FBI and is loaned to your agency; 
it and its contents are not to be distributed outside your agency. 


(Rev, 05-01-2008) 
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UNCLASSIFIED 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/01/2012 
To: Washington Field Attn: CY4 
From: Washington Field 


CY4/NVRA 
Contact: 


Approved By: [cs as/ Fi/zere. 
prastea ny: [ps St fore 


Title: UGNAZI - UGNAZI; TEAM-DIVERSITY; 
DC GOV - VITIM; 
COMPUTER INTRUSION ~ CRIMINAL 


Synopsis: Documenting finding on[ 
Details: 0n_5/1/2012, writer found a twitter ‘posting between 


contact him at to discuss his attacks 


on dc.gov webs 


A Google search using on email] sd an 
email hageea ant = |e POX information, revealed the following 
website that link the Comcast email account to the “Team 
Diversity” member 


Additional searches revealed the following information: 

The third return result in Google’s organic (non-paid) 
search returns was titled “Hack Forums ~ {Team Diversity} Selling 
GT: stfu” and located at www.hackforums.net > Hack Forums > 


Marketplace > Gametags. The excerpt in the search return 
included the following text, “05-20-2011, 3:39 PM. GT Control 


Proof: Spoiler (Click to view) . (Image: g1Q59.jpg]. Contact AIM: 
XBLTime. 


UNCLASSIFIED 


Ly (LI US. ec 


b6 
b7C 


bTE 


b6 
b7C 


b6 
b7C 


b6 
b7C 


®@ _- | UNCLASSIFIED. ® 


To: Washington Field From: Washington Field 
A post made to codeupload.com (codeuploade.com/4851) on 23 
December 2011. at 5:15 pm UTC oe 
ati 


stated the followi 


i. 
2. b6é 
3 b7C 
4. 
5. 


6. Team Diversity Gamertags 
7. Team Diversity 


8. Team Diversity 
9. http://www. youtube. com/watch?tv=ebw j 


The referenced YouTube post was no longer available at the time 
of the open source searches. 


An AOL LiveStream profile_usi moniker b6é 
contained the following, “ADD on May 12 at Bie 
5:05 pm and “Selling Diversity Booter 300+. shells onlu $10” on. 

Jan 20 at 5:54 PM. 


An Xbox Live Profile (live.xbox.com/en-US/Profile?gametag=my 


bolt action) lists_in the BIO section the following information, 
‘Team Diversity - and_“AIMs: b6 
YouTube.com F b7C 


Writer intended. to subpoena registration information on 
these email accounts and. request search warrants as well. 


+4 


UNCLASSIFIED 


Z 
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UNCLASSIFIED 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/01/2012 
To: Washington Field Attn: CyY4 
From: Washington Field 
CY4/NVRA 
Contact: eS 
Approved By: g aslal [rie 


Drafted By: 3 Y fahren 


Title: UGNAZI - UGNAZI; TEAM-DIVERSITY; 
DC GOV - VITIM; 
COMPUTER INTRUSION ~ CRIMINAL 


Synopsis: Documenting email communication with New York office. 


Details: On 4/27/2012, writer received a email from SSA 


regarding terminating the lead to Los Angeles to interview 
possible suspect[__———sdJ. in order to avoid operational conflict 
with the FBI New York investigation. Writer will continue all 


other logical investigative steps to move case forward. 


+4 
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b6 
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b7E 


b6 
b7c 


(Rev. 05-01-2008) ' @ ] 
UNCLASSIFIED//FO J : LY 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 04/23/2012 
To: Washington Field Attn: SA oe 
New York Attn: SSA 
Minneapolis Attn: SSA 
SA 
Phoenix Attn: SSA 


From: Washington Field 
ID-3, CY-4/NVRA/3E 


Contact: IA b6 
b7C 


eS (G7/ex12 
Drafted By: [| CSCSCSCdiS te’ NTAR 4/24/20 12 


Case ID # nae 
174C-MP-74385 (Pending) — / 
Title: UGNAZI - UGNAZI; TEAM-DIVERSITY; 
DC GOV ~ VICTIM; _ : 
COMPUTER INTRUSION ~- CRIMINAL 
UNS 
AKA b6 
b7C 


02/22/2012, . 
TELEPHONE BOMB THREATS 


Synopsis: (U) To document open source searches revealing DDoS, 
hacking and doxing activity by members of the UGNazi Hacktivist 
Group. 


Enclosure(s): Print-outs of referenced web pages will be 
maintained to the captioned investigation's case file via 1A. 


Details: (U//PO8Q) By way of background, Washington Field Office 
(WFO) squad CY+4 opened the captioned investigation into the 
hacktivist group "UGNAZI" in April 2012 based on the group's 
claims of responsibility for online attacks targeting computer 
network infrastructure belonging to the District of Columbia 


l2jali4b.ec UNCLASSIFIED//FOR OFFICTAT—USE_ONLY 


AKA 
AKA — 
CHASKA POLICE DEPARTMENT, (VICTIM) 


unc MsrezEp/ /FOR-perresss-uez Wy 
To: Washington Field From: Washington Field 
pe: [+d C(04/23/2022 


(Reference| fe details). Open source 
searches for 1 an @ Lollowing identified group members 


revealed the following information. 


(U) A 19 Baars 2012 post to the "UGNaziNews" 
Twi [ hereafter 


| tC C*iédS HEA, | 
ee ey hyperlinked ‘text ending in 


linked 


———SESE————————— et 
LT 
form Resource Locator (URL) 
that displayed a web page not Gl ria 
error message Lor nyc.gov. The hyperlinked text ending tn 


linked to an image at the URL 
that displayed a web page not available error for dc.gov. 


The 


hyperlinked URL linked to a news story about the Hacker Group 
UGNazi conducting Distributed Denial of Service (DDoS) attacks 
against de.gov and nyc.gov as an act of protest against the US 
Government. 


(U) A 19 April 2012 post to the UGNaziNews Twitter feed b 


The 
inked to an image at the URL 
that displayed a web page not available 


error Lor washington.org. 


(U) A 19 April 2012 post 
stated 


The hyperlinked pastebin URL Linked to a 
pastebin post that contained Personal Identifying Information 
(PII) for Washington DC Mayor Vincent Gray; including Date of 
Birth (DOB), Social Security Number (SSN), phone numbers and 
addresses. 


(U) A 19 April 2012 post to the UGNaziNews Twitter feed by 


UNCLASSIFIED//FOR OFFICTAE—USE_ONLY 
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b7E 


b7E 


b6 
b7C 


b6 
b7C 


b6 
b7C 


b6 
b7C 


b7C 


b6 
b7C 


gach tuts) acs Base 
TO: hi Sield From: Washington Field 
Re: 04/23/2012 


URL Linked to an image at{ "that: displayed a 
web page not available error for nasdaq.com. 


(0) A 20 April 2012 post 


nke “ink gf 
displayed a web page not available error for 


(U) A 20 April 2012 post to the UGNaziNews Twitter feed by 


The hyperlinked URL linked to an 
image at that displayed a web page not 


available error for wa.gov. 


= A 23 = 2012 post : = —— ge by 
The hyperlinked pastebin URL 


linked to pastebin post that contained a message apparently 
eta tie pie eee pan pace ae Protection Act - 
523 and ; ing pasteb) der the 


(U) The hyperlinked (ae Linked to a 
pastebin post made in apparent retaliation for law enforcement 
pe Fe ee 


fan protest of] 
ember] —s_—Sss—(“€sXcTaimed tovhave] 
and listed alleged 
FBI.gov Server detalls, Intranet vulnerabilities, ana” a0xed 7 
FBI agents allegedly involved in brining down LulzSec. The 7 


The dQx listed credit card numbers, 
CVC2s, fbhi.gov email addresses and passwords. The email 


UNCLASSIFIED//FOR : LY 
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b7E 


b6 
b7C 


b6 
b7C 


b6 
b7C 


b6 
b7C 


b6 
b7C 


UNC esrprep//FOR-oreresaa_use Whiz 
To: Washington Field From: Washington Field 


addresses did not conform to the format used by FBI email 
accounts used on either unclassified or classified networks. 


(U0) FBI intranet directory searches on the names of 
aforementioned dOxed agents did not return BPMS di 


listings for EBI employees; with_the exception o b6 

which returned information on a bic 
whose work telephone number indicated he works out 

fs) 

(0) The ‘hyperlinked[ Linked to a ot 


pastebin post ‘that listed PII for 5 alleged "CIA Field Agents". 
The post claimed the PII was obtained by hacking cia.gov email 
accounts. 


U) A 23 April post to_the UGNaziNews Twitter feed by the 
e Twitter profi b6 
, nereatter referr b7C 


wi ‘ is ¢ leaked ~| 
aS The hyperlinked pastebin URL 
Ainked to the aforementioned pastebin post tweeted by 


b6 
b7C 
Linked to an image at 
that displayed a web not available error 
Ox Cia.gov. 

(U) A 23 April post to the UGNaziNews Twitter feed by the 
owner/operator of the UGNazi Twitter profile b6 
hereafter referred to as _ the b7Cc 

U) A 23 April 2012 post to the UGNazi j by the 
he Twitter account Bs 
ote we ~ - - eG © a b7Cc 


Ba | JPer ankedL___ 
URL linked to aL_______—id pe ha ontained a page (when 
inted) list of PII for 
and his family, as WEIDAS what appeared t0 be Content o 
email messages in which| | indicates that he "swatted" people. 


UNCLASSIFIED//FOR 0 ONLY 
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dic Mesares/ mea orieester Oa 
To: i leld From: Washington Field 
Re: 04/23/2012 


contained a URL to an image at 

which displayed what appeared to be the 
contact page for an online bank account _or credit card account 
manager for an account belonging to[ Cd 
CE TL base ony the ‘Jocation of the URL in the 
a0x, xvight below s Visa credit card information, it 
is assessed with medium confidence that this screen shot image 
may be for an account manager page tied to that credit card. 


(U//Pe00) An ACS search revealed a connection between] 
and a series of telephonic_bomb threats being investigate 
Manneepess Division Co Ge aarraaea | 2: details). 


(U/ /BOsO) The following emails Spee in thel a0x were 


run as search terms j ielded one positive 

result for the email The serial documented 

open source derived information which tied the email account to 

he name which is to the alias 
Aisted in < azi a0x mmm SLT 


serial 9 for Keer iy. The dOx also lists 
s AOL Instant Messenger ID ce 
reference 


(U) The 
profile for 


a 


uTube 
that 


contained the following comments dealing with swatting: 


UNCLASSIFIED/ /FOR_OFFICEAE-USE_ONLY 
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b6 
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b7E 


b6 
b7C 
b7E 


b6 
b7C 


ee, ee 7 
To: W j i _ From: Washington Field 
Re: 04/23/2012 sas 


b6 
. b7c 
Analysis: 
(U//FO8Q) It is assessed with high confidence that the UGNazi 
hacktivist group did not compromise FBI or CIA employee email 
accounts as claimed in ‘the aforementioned dOxing posts and NYO 
ADIC letter post made by UGNazi members to pastebin. This 
assessment - is based on the following Anes carers that Sages the 
d DI ‘ 
b6 
b7C 
b7E 
(U//ES8OQ) It is assessed with medium to high confidence_that the 
b6 


a0x published by the UGNazi hacktivist group targeting 
eee is true information possibly obtained by UGNazi b7c 
members through the compromise of one or more of the email 


accounts listed in the dOx. This assessment is based upon the 
preponderance of corroborating information listed below. 


UNCLASSIFIED/ /FOR_OFPFECTAL—USE-ONLY 
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erg oe 
To: Washington Field From: Washington Field 
re: [+d (04/23/2022 


ased on the aforementioned details corroborating the 

d0x it is assessed with medium confidence that one or 
more members of the UGNazi hacktivist group are capable (both in 
motivation and skill level) of committing computer network 
intrusion and/or social engineering resulting in the compromise 
of online password protected accounts. 


UNCLASSIFIED//FOR Y 
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b6 
b7Cc 


~ 


UNCLASSIFIED//FOR LY 


Bios, i i From: Washington Field 
Re: 04/23/2012 


Accomplishment Information: 
Number: 1 — 
Type: SUBJECT IDENTIFIED 
ru: L__] 
Claimed By: 

SSN: 

Name: 

Squad 


UNCLASSIFIED//FOR ONLY 
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bTE 


be 
b7Cc 
b7E 


q 


ox Reczrse0/ 7FoR oreresneuse Wr 
To: nField From: Washington Field 
Re: 04/23/2012 Bue 


LEAD (s) : 
Set Lead 1: (Info) 

NEW YORK 

AT NEW YORK, NY 

For New York Field Office Squad CY-2's situational 
awareness. Read and clear. 
Set Lead 2: (Info) 

MINNEAPOLIS 


AT MINNEAPOLIS, MN 


For Minneapolis Field Office Squad CT-3's situational 
awareness. See the information regarding the possible true 
identity of [— sand alleged evidence of swatting activity b6 


documented on pages 4 ~ 6 of the enclosed communication. The b7C 
SS 1 | a bre 
report are enclosed .in the accompanying JA. Read and clear. 

Set Lead 3: (Info) 


PHOENIX 
AT. PHOENIX, AZ 
For Phoenix Field Office Squad C-2's situational 
awareness regarding dO0xing victims and possible case subject 
residing in Phoenix's AOR. Read and clear. 


+4 
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UNCLASSIFIED 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/11/2012 

To: Cyber Attn: SSA b6 
SSA b7¢c 

To: Charlotte Attn: SSA 

To: Dallas Attn: SSA 

To: Houston Attn: SSA 


To: Los Angeles Attn: Cyb = 
To: Little Rock Attn: SSA 
To: New York Attn: SSA 
From: Washington Field 
CY-4/NVRA = . 
Contact: b6é 
b7c 
Ken sly 
kcb 


Approved By: 


Drafted By: 


b7E 
Case ID #; 


Title: UGNAZI; 
TEAM DIVERSITY; 
DC.GOV - VICTIM; 
COMPUTER INTRUSION = CRIMINAL 


Synopsis: To document notification and liaison contact made with 


Special agent (sa) [Ee bs 
Office of Inspector General (OFG)on 05/11/2012. b7C 


. . . ; . . b6 
Attachment: E-mail communication from Supervisory Special Agent (SSA) ,.. 
regarding a distributed denial of service attack (DDoS) of ,_, 


th eb site dated 05/11/2012. 

Details: On 05/11/2012,SsAL_____—Jcontacted_ssa via UNET e- 
mail advising of a DDoS attack of the web 6 
page apparently conducted by members o aziv, anciudaing oe 


individuals utilizing the monikers[———=CédS KESSPecCtively. 


On this same date, via e-mail and telephone conversations, 
ssal___Jadvisea[ —SSSCSC~*édi td SON contacts of this Be | 


UNCLASSIFIED i3lkbecl .wpd 


e@ UNCLASSIFIED @ 
To: b : Washington Field 
Re: 05/11/2012 


possible DDoS. sal______shater confirmed their web site had in fact 
been DDoSed but was now currently up and running. SA is 
prosecutive opinion. SA advised he ma 


once 
e nas a better understanding of the incident. 


sal___Jadvisea th 
(aca Se ROR) pees et 
ee eae advise rough open 
source research he identifie itter feeds of individuals claiming 
responsibility for the DDoS o 11 continue 
coordination efforts with i ee this matter. 


On 05/11/2012, ssAL____] forwarded a copy of the attached 
e-mail thread related to this incident to all identified field offices 
with potential equities in this matter for their situational 
awareness. 


UNCLASSIFIED 
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bTE 


b6 


b7Cc 


UNCLASSIFIED 


TO: ber From: Washington Field 
Re: 05/11/2012 


Set Lead 1: (Info) 
CYBER 
AL WASHINGTON, DC 
For information. 


Set Lead 2: (Info) 


CHARLOTTE 


AT _ CHARLOTTE, NC 


For information. 


Set Lead 3: (Info) 


DALLAS 


AT DALLAS, TX 


For ‘information. 


Set Lead 4: (Info) 


HOUSTON 
AT. HOUSTON 


For information. 


UNCLASSIFIED 
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bTE 


Ne ry 2 “ 


UNCLASSIFIED 
To: : : shington Field 

Re: 05/11/2012 

Set Lead 5: (Info) 


LOS ANGELES 


AT LOS ANGELE CA 


For information. 


Set Lead 6: (Info) 
LITTLE ROCK 


AT_ LITTLE ROCK, AR 


For information. 


Set Lead 7: (Info) 


NEW YORK 


AT_NEW YORK, NY 


For information. 


+4 
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b7E 


Subject: 


See the below re a confirmed_DDoS of t website purportedly conducted by 


tet a Fo 
members of UGNazi to includg = = | MyL___———=*dONG POC advised they had 


‘infrastructure in three place Wop ag: Sn He is checking to determine the other 
locations and which were effected and will get back to me. 


— 
SSA 
FBI/WFO/NVRA/CY-4 

D) 
Cc) 


703.686.6010 (F) 


Subject: RE: 


| SSA 
FBI/WFO/NVRA/CY-4 
| (D) 

| (C) 


703.686.6010 (F) 


20 


b7C 
b7E 


b6 
b7C 
b7E 


b6é 


bT7E 
b5 


b6 
b7C 


b6 
b7C 
bT7E 


b7C 


4 é » » 


| , It am a Cyber Squad Supervisor in the WF Office and th is j Pie 
| appreciate any information you have on the subjects involved in th 


s currently down due to DDoS attack _b 
XI believe I have PII for 


provide contact info for the agent looking into 


Oo include name and home address. Can you b7c 
2? My notes from today's meeting are 


b6 
| b7Cc 
b6 | 
| b7C 
| b7E 
| Subject: Re» 
| Please see below in regards to a DDoS attack attributed tol an 
b6 
b7C 
b7E 
Sent: Thu May 10 23:12:11 2012 
Subject: b6 
and members of UGNazi to include b6 
at ‘the office and I will be out until May 21. b7E 
Twitter accounts for individuals captioned above are: 
b6 
b7C 


I'll keep you updated as info comes in. 


b6 
b7C 


(Rev, 05-01-2008) @ $ 


UNCLASSIFIED 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: (ROUTINE Date: 05/07/2012 


To: Washington Field Attn: CY-4 


From: Washington Field 
CY4/NVRA 
Contact: b6é 


” Dil b7c 
Lj iw S 1 / Lofe 


Pending) 


Approved By: 


Drafted By: 
b7E 
Case ID #: 


Title: UGNAZI - UGNAZI; 
TEAM-DIVERSITY; 
DC GOV - VICTIM; 
COMPUTER INTRUSION ~- CRIMINAL 


Synopsis: Requesting a STATS sub file to be opened. 
Details: Writer requesting a STATS sub file to be opened under 


captioned case in order to record all the statistical 
accomplishments. 


+4 


OER (ain) 
Closed: 


Class & 


UNCLASSIFIED 


Li (U SSC ec 


U.S. Department of Justice 


Federal Bureau of Investigation 


Jn Reply, Please Refer to Northern Virginia Resident Agency 
Manassas, VA 20109 


May 2, 2012 


Long Beach Police Department 
Computer Crimes Detail 


RE: Distributed Denial of Service (DDOS) attack on DC.gov website 
from 4/18/2012 to 4/19/2012. 


b7¢ 


On 4/20/2012, the FBI Washington Field Office received 

information that the DC's website, DC.gov, was eee (ad 

FBI Special Agent (sa) [talked to bé 

Chief Téchnology Officer, Office of the Chief Technology Officer b7C 

(OCTO), Government of the District of Columbia, 443 4th St. NW, 

Washington, DC 20001, telephone en via 

telephone the same. day « a ee gov website was 

under Distributed Denial of Service (DDOS) attack since 4/18/2012 

6:45pm, 25 hours into the attack, OCTO was able to restore the 

website and contained the DDOS attack. OCTO did not detect any 

intrusions into DC government's computer network. sent 

SAL____]an email in which contained postings on twitter.com, 
iversityv.net. Wit 


Pastebin.com, and a link to team- 
twitter postings, user account 


government, New Ina twitter 
posting between 
‘report 
him at to discuss the DDOS attacks on 
dc.gov website. Further search in twitter postings revealed a 
link to Pastebin.com posting which posted DC city mayor Vincent C 
Gray's personal identification information (PII). 


On 4/20/2012, writer talked to DC Metropolitan Police 
Department Task Force Office telephone b6 
number: via telephone. stated the MPD was b7c 
aware of the leak of DC Mayor's PIT. leaked PII was not 
accurate and some information were outdated. 


eT be 
[ kevealed two hacker group UGNazi, with website at b7C 


UGNazi.com, and Team Diversity at team-diversity.net. UGNazi.com 


—_ a 


4 


Following items are attached to this Letter: a CD 
contained screen shots of twitter postings and online articles 
regarding DDOS attack on DC.gov, a CD contained PCAP file, anda 
CD contained firewall log on DDOS attack. 


The above information is provided to you for action as 
deemed appropriate. 18 i regarding this matter can be 
directed to SA Squad_CY-4 (located at the - 
Northern Virginia Resident Agency),[ | 

Sincerely, 
Ronald T Hosko 


Special. Agent in Charge 


By: 


Supervisory Special Agent 


b6 
b7C 


b6 
b7C 


b7c 


q a. as oF , 
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: : UNCLASSIFIED 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/15/2012 
To: Washington Field Attn: CY4 


From: Washington Field 
CY4/NVRA 


Approved By: Coy fpie, * 
Drafted By: Ly v Sic fain 
Case ID #; Pending) 


Title: UGNAZI - UGNAZI; TEAM-DIVERSITY; 
DC GOV - VITIM; 
COMPUTER INTRUSION - CRIMINAL 


Synopsis: Documenting finding on[f | 


Details: On 5/2/2012, FBI Task Force Officer (TFO), Long Beach 
Police Department sgt.L___ Cd contacted writer via email 
and provided following information: 


was arrested for numberous 
computer related crimes by the Long Beach Police Department 
(LBPD) and is due in court later in May 2012. He has been 
positively identified and search warrants have been served. Some 


of his computers are in LBPD custody. The handling LBPD 
Detective | eae ae ae telephone nuber: | —____] 
has done Lots of wor on[ Jana his friends. 
s personal information are following: 


H 


DOB: 
Cell phone: 
Address: 


Subjects Mother: 


Address: 
Employer: 
Work PB 
Cell: 


UNCLASSIFIED 


(SFU. ee 


b6 
b7C 


bTE 


b6 
b7c 


b6 
b7c 


b6 
b7C 


b6 
b7Cc 


To: Washington Field From:’ 
Re: | | 


UNCLASSIFIED .-- - 


05/15/2012 


On 5/3/2012, TFO 


list of the sub 


Washington Field 


Tne contacted writer via email and 


jects who were identified by Detective 


The following List was compiled from the SWATTING 
and ID theft case Detective 


Twitter: 
Facebook 
YouTube: 


is investigating: 


Notes: I nave several PayPal transactions regarding the purchase 


of VPN accounts. 


UNCLASSIFIED 


Z 


vember 


(videos show DDoS of 


b7E 


b6 
b7C¢ 


b6 
b7Cc 


b6 
b7c 
bTE 


b7c 


To: Washington Field From: Washington Field 


Address: 


UNCLASSIFIED 


UNCLASSIFIED 
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b6 
b7C 
b7E 


b6 
b7Cc 


b6é 
b7Cc 


b6 
b7Cc 


b6 
b7Cc 


| J UNCLASSIFIED. | 
TO: i i From: Washington Field 
Re: 05/15/2012 rie 


b6 
b7C 


b6 
b7C 


UNCLASSIFIED 


4 


UNCLASSIFIED 
To: i ield From: Washington Field 
Re: , 05/15/2012 b7E 
On 5/4/2012, writer received a email from SA ae 


Los Angeles Division. A copy of LBPD report on was 
attached to the email. The LBPD report was prepared by Detective 


| = it detailed the a conducted for 


++ 


UNCLASSIFIED 
5 


mnd_interyiad—req wpa 


ee 
pcronre cs) @ 


UNCLASSIFIED 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/15/2012 
To: Baltimore Attn: Cyber Squad 


From: Washington Field 
CY4/NVRA 


b7C 


g o5/'/2gi7-- 


? U} Cee _ 


(Pending) 


Approved By: 


Drafted By: 


raw 


Case ID # 


Title: UGNAZI - UGNAZI; TEAM-DIVERSITY; 
DC GOV - VICTIM; 
COMPUTER INTRUSION - CRIMINAL 


Synopsis: Request concurrence from Baltimore Field Office to 
conduct interview in Annapolis, MD. 


Details: On 4/20/2012, Washington Filed Office (WFO) CY-4 

‘received information that the DC's website, DC.gov, was under 

Distributed Denial of Service (DDoS) attack. During the course 

of the investigation, writer determined the members of hacker 

roup UGNazi and Team Diversity were behind attack. Group _member ‘ 

: address: b6 
were positively identified b7C 

by Long Beach Police Department (LBPD) during their 

investigation. LBPD provided WFO with information on 

well as several 


The following individual 
resides in 


AKA: b6 
Name BiG 
DOB: | 
M/W | 
Address: | 


Home; 
AIM: 
‘Notes: 


UNCLASSIFIED 


. @ ; -- UNCLASSIFIED .- - eo 


To: Baltimore From: Washington Field 


Writer intends to interview| _| to determine his 
involvement in the DDoS attack against DC.gov and any other 
illegal online activities. 


UNCLASSIFIED 
Pa 


bTE 


b6 
b7C 


4 


ee e 


UNCLASSIFIED @ 


To: Baltimore From: Washington Field 


Set Lead 1: (Info) 


BALTIMORE 


/2012 


AT_CYBER SQUAD 


Reques 
Annapolis, MD to interview 
+4 


UNCLASSIFIED 


3 


bTE 


b6 
b7c 


€ 


(Rev. 05-01-2008) € © 


UNCLASSIFIED 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/18/2012 


To: Washington Field Attn: SA 
CyY-04 


From: New York 
CcY-02 
Drafted ny: [3 


Case ID # 


Title: OPERATION CARDSHOP 


UGNAZI - UGNAZI; TEAM-DIVERSITY; 
DC GOV - VITIM; - 
COMPUTER INTRUSION - CRIMINAL 


Synopsis: To request Washington Field to delay contact with 
Andividuals associated with UG Nazi. 


Administrative: The following was emailed on May 17, 2012 as a 
follow up to a phone conversation. 


Subject: RE: interviews 


Good afternoon[ _| 


Yt appreciate the heads up regarding the information below. 
As per our phone conversation, please wait until the coordinated 
takedown, scheduled for June 26, 2012, to contact these guys. 


We are unfamiliar withL___ dat the moment, ee ‘a 
registered member of our UC forum. Many of the UG guys have 


i 


UNCLASSIFIED 


b6 
b7C 


UNCLASSIFIED 


To: _& i ield From: New York 
Re: 05/18/2012 


direct connection with our UC forum and it will not be advisable 
to approach them prior to June 26. 


nastly, L___lis out of the office and will be back on Monday. 
He’ 1] work on getting those logs to you next week. 


Thanks! 


Subject: interviews 


Hey guys, I got a list of names from. beach pd det 

Those are the ppl Det identified in his 
investigation into____] and they associated with [____lJonline. 
I notice there are couple of guys live close by to dc, would like 
to interview them regarding their role in DC.gov attack and any 
other illegal activities. Just want to be a ‘team play and make 
sure not stepping over each other. Oh by the way, did you 
get chance to sent out those logs from NY.gov and NASDAQ.com 
attacks? ‘thanks 


AKA: 
Name 
DOB: 
M/W 

Address: 
Home: 


M/W 
Address: 


UNCLASSIFIED 
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b7E 


b6 
b7C 


b6 
b7C 


b6 
b7C 


UNCLASSIFIED 


To: _Washinato leld From: New York 

Re: 05/18/2012 b7E 
b6 
b7C 


Details: New York respectfully requests Washington Field to 
delay contact with the individuals associated with UGNazi, to 


include the members mentioned above. 
b7E 


UNCLASSIFIED 
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® UNCLASSIFIED 


To: Washington Field From: New York 
Res [od S(08/18/2012 bre 


LEAD (s) : 
Set Lead 1: (Info) 
WASHINGTON FIELD 
AT WASHINGTON, DC 
New York ‘respectfully requests Washington Field to 
delay contact with the individuals associated with UGNazi, to 


include the members mentioned above. 


+4 ' 
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UNCLASSIFIED 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/22/2012 
To: Washington Field Attn: CY-4 
From: Washington Field 

CY4/NVRA 

Contact: L___ 


Approved By: 


Drafted By: . 
sf ¢ woo fe 
Case ID #: ending) 
ending) 
Title: UGNAZI - UGNAZI; -DIVERSITY; 


DC GOV - VICTIM; | 
COMPUTER INTRUSION - CRIMINAL 


Synopsis: Reporting investigation conducted. 


meee ee From 5/2/2012 to 5/18/2012, through twitter postings by 
at and third party reporting, writer learned 
hacker group UGNazi was involved in attacks on IC3.gov, ed.gov, 
Washington Military Department website, ca.gov, Government of 
Anguilla (gov.ia), visa.com, cia.gov, wtf.com, Discover.com. 


Pertaining to attack on wtf£.com, information indicated 
UGNazi hacked its registration information. Writer dida 
Domaintools lookup on wtf.com and find following as the 
registration information: 


Registrant; 

UGNazi, Inc. 

ATTN WTF,.COM 

care of Network Solutions 

PO Box 459 

Drums, PA. US 18222 

Administrative Contact, Technical Contact: 


Created: 1995-08-12 
Expires: 2019-08-11 
Updated: 2012-05-47 


UNCLASSIFIED 


L len 2.ec 


b6 
b7C¢ 


b7E 


b6 
b7C¢ 


b6é 
b7C¢ 


® UNCLASSIFIED @ 


TO: j i From: Washington Field 
Re: 5/22/2012 


Writer contacted Investigator at 


Network Solu 


x number: 703-668-5959, 
via telephone on 5/22/2012. confirmed that wtf£.com is 
registered through Network Solutions; the real. registrant 
information and domain management account login information are 
available upon request through a subpoena. 


++ 


UNCLASSIFIED 


os 


bIE 


b6 
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UNCLASSIFIED 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/24/2012 
To: Washington Field Attn: CY-4 
From: Washington Field 
CY4/NVRA 
13 Uj than. 


Pending) 
Pending) 


Approved By: 
Drafted By: 
Case ID #: 
Title: UGNAZI - UGNAZI; 


DC GOV - VICTIM; 
COMPUTER INTRUSION - CRIMINAL 


-DIVERSITY; 


Synopsis: Reporting AUSA's response. 


Details: On 5/17/2012, writer submitted a subpoena request for 

registrant information on wft.com to Assistant US Attorney 

P| tor aporoval, on 5/o4/a080, 63 
: ; j } ecutor in Wa 


ashin 


wtf.com antrusion to Detective telephone: 
, email: Long Beach 


Police Department for his case. 


+4 
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FD-302 (Rev, 10-6-95) 


Pee 
FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 06/08/2012 


From Je eke to 5/18/2012, through twitter postings by 
[dat and third party reporting, writer learned hacker 
group UGNazi was involved in attacks on IC3.gov, ed.gov, Washington 


Military Department website, ca.gov, Government of Anguilla 
(gov.ia), visa.com, clia.gov, wtf.com, Discover.com. 


Pertaining to attack on wtf.com, writer conducted another 
domain lookup on wtf.com on 5/24/2012 and find following as the 
registration information: ; 


Registrant: 

Wtf, Inc. 

4550 Ocala Drive 
Parma, OH 44134 
US 


On 4/24/2012, 
[sd] telephone number: 
was interviewed via telephone. After being advised of the 
ef the interviewing agent and the nature of the interview, 
provided the following information: 


noticed his website wtf.com was redirected to 
ugnazi.com on 5/16/2012 and at same time he could not access his 
domain management account at Network Solution and his emails with 
Cox.net and Google. [_____Jhas phone and internet services 
through Cox.net, when he contacted Cox, he found out his account 
was compromised, and call forwarding was setup so ali his call were 
W. qd to | Jat 

tried to ca imself, but instead of going to his voice 
mail like it used to, ememeen someone picked up the call and 
did not say anything. also recalled a backup j 
his Cox account was_changed to an email beginning with 
ending in ".com". eae his domain management account at 
Network Solution was compromised and wtf.com reqi ant information 
was_ changed on 5/17/2012 around 12:30 am. Pleated with 

LNU at Network Solution, 570-708-8700, ext Network 


Investigation on «6/5/2012 # Washington DC (via facsimile) 


Date dictated 


ty SA 


This document contains neither recommendations nor conclusions of the FBL It is the property of the FBI and is loaned to your agency; 
it and its contents are not to be distributed outside your agency. iy [ | a 
y (Et (Orv 


b6 
b7c 


b6 
b7Cc 


b7c 


FD-302a (Rev..10-6-95) 


Cootiavation of FD-302 of {CO On 6/5/2032 __.Page_2 


created, as far as 

and the other was 

he has no relationship wi 
why he was targeted. 
reinstated. 


aan 


could recall, one was 

at UGNazi.com Inc. 
any members of UGNazi and doesn't know 
All of his accounts have since been 


is willing to provide the login logs for his 
Gmail and Network Solutions accounts. 


b6 
b7c 


nee 7) . 
Rev. 95-01-2008) @ © 


UNCLASSIFIED 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 06/12/2012 
To: Washington Field Attn: CyY-~4 


From: Washington Field 


CY4/NVRA 
contact: |__| 


Approved By: (12 KCB 
meen Lbs oh elon 
Case ID #: (Pending) 
Title: UGNAZI - UGNAZI; TEAM-DIVERSITY; 
DC GOV - VICTIM; 


COMPUTER INTRUSION - CRIMINAL 


Synopsis: Reporting investigation conducted. 
Details: On 6/7/2012, writer received an email with spreadsheet 
attachment named "Login History.xls" fronp 


Investigator at Network Solutions (NS), 
CT The spreadsheet contained login 


information for domain management account for wtf.com. NS 
released this information to the FBI upon receiving a written 
consent from the owner of the wef.com, [oo The 
following is the login history: 


Login History for Account ‘ee 


Date Success = _ Relationship 
SINT/201ZAT:A2 = FALSE Primary 
5/N7/2012 17:10 FALSE Primary 
5/47/2012 17:09 FALSE Primary 
S/N7/2012 15:33. FALSE Primary 
S/N7/2012 15:31 = FALSE Primary 
5/7/2012 15:30 FALSE Primary 
5/17/2012 15:30 = FALSE Primary 
5/17/2012 15:29 FALSE Primary 
S/N7/2012 2:00 TRUE Primary 
5/17/2012 2:00 = FALSE Primary 
5/17/2042 1:48 TRUE Primary 

UNCLASSIFIED 


Uj 170/2.ec 


b6 
b7C 


b7E 


b6 
b7Cc 


b6 
b7C 


TO: i ieid From: Washington Field 
Re: 06/12/2012 


5/17/2012 0:17 
5/17/2012 0:07 
5/17/2012 0:07 
5/17/2012 0:06 
5/17/2012 0:04 

5/16/2012 23:59 

5/16/2012 21:53 

5/16/2012 21:14 

5/16/2012 21:13 

5/16/2012 21:04 

5/16/2012 20:55 

5/16/2012 20:45 

5/16/2012 20:44 

5/16/2012 20:40 

5/16/2012 19:37 

5/16/2012 19:09 

§/16/2012 15:32 

5/16/2012 12:32 

$/16/2012 12:32 
§/16/2012 1:51 
5/16/2012 0:23 
5/16/2012 0:19 
5/16/2012 0:19 

2/10/2012 17:24 

2/10/2012 17:19 

2/10/2012 17:19 


IP address 


Domain. name: 
Registrar: 
Whois Server: 


Registrant Contac 


TRUE Primary 
TRUE Primary 
FALSE Primary 
TRUE Primary 
TRUE Primary 
TRUE « Primary 
TRUE Primary 
TRUE Primary 
FALSE Primary 
TRUE Primary 
TRUE Primary 
TRUE Tech 
TRUE Primary 
TRUE _ Primary 
TRUE Primary 
TRUE Primary 
TRUE Tech 
TRUE Tech 
FALSE Tech 
TRUE Tech 
TRUE Tech 
TRUE Tech 
TRUE - Tech 
TRUE Primary 
FALSE Primary 
FALSE Primary 


resolved to 


UNCLASSIFIED 
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e _. UNCLASSIFIED eo. 


is his home IP address. 


b7E 


b6 
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b6 
b7C 


b7C 


@ UNCLASSIFIED @ 


To: i j From: Washington Field 
Re: 06/12/2012 bTE 


b6 


b 


oS — a a ID associate with all the 
logins, NS indicated these are the 
user account IDs; each contained user personal information. 
Information on these user accounts are pending from NS. 


+¢ 


UNCLASSIFIED 
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